OpenSSL patches “high” severity flaws in latest release

Posted on March 19, 2015

Two “high” severity flaws have been fixed in the latest version of OpenSSL. The development project released versions 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf on Thursday after a number of flaws were reported privately.

One of the most severe flaws could be exploited to launch a denial-of-service attack against a server running the affected 1.0.2 version of the software.

The second flaw was initially classified as “low” priority, but was upgraded after recent studies showed that server RSA export ciphersuite support is not as rare as first thought.

A total of 12 vulnerabilities were patched in this release.

OpenSSL serves as one of the most popular open-source and widely available toolkits for implementing SSL and TLS. It’s deployed at some of the largest and best-known services, including Facebook, Google, Yahoo, and across the federal government.

Although most developers and implementers are finding out now, major vendors are said to have been given a prior heads up in order to patch systems ahead of the release of details relating to the flaw.

Confidence in the open-source project is rebuilding after a series of high-profile flaws threatened thousands of servers, websites, and databases protected by the software.

In April last year, a bug known as Heartbleed was discovered in an earlier version of OpenSSL, which could’ve allowed an attacker to reveal the contents of encrypted data, such as credit card transactions — even the SSL keys in question. The flaw had gone undetected in the code for years.

More recently, a new flaw dubbed FREAK, allowed an attacker to potentially eavesdrop on encrypted networks by conducting man-in-the-middle attacks.